CVE-2021-37938
MEDIUMKibana 7.9.0-7.15.1 - Path Traversal via .pbf File Loading
Title source: llmDescription
It was discovered that on Windows operating systems specifically, Kibana was not validating a user supplied path, which would load .pbf files. Because of this, a malicious user could arbitrarily traverse the Kibana host to load internal files ending in the .pbf extension. Thanks to Dominic Couture for finding this vulnerability.
References (1)
Core 1
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://discuss.elastic.co/t/kibana-7-15-2-security-update/288923
Scores
CVSS v3
4.3
EPSS
0.0017
EPSS Percentile
37.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-22
CWE-269
Status
published
Products (1)
elastic/kibana
7.9.0 - 7.15.2
Published
Nov 18, 2021
Tracked Since
Feb 18, 2026